Grinex Exchange Blames Western Intelligence for $13.7M Crypto Hack

What happened

Kyrgyzstan-based cryptocurrency exchange Grinex suspended operations on April 15, 2026 after a hack drained approximately $13.7 million in USDT from wallets belonging to Russian users. The stolen funds were routed to TRON and Ethereum addresses and quickly converted to TRX and ETH via the SunSwap decentralized trading protocol, a move blockchain analysts note was designed to prevent Tether from freezing the assets. Grinex attributed the attack to foreign intelligence agencies from what it described as hostile states, claiming the operation was coordinated to damage Russia’s financial sovereignty. No technical evidence supporting that attribution has been published by Grinex, Elliptic, or TRM Labs. Blockchain analysis firm TRM Labs identified approximately 70 attacker addresses and found that TokenSpot, a separate Kyrgyzstan-based exchange with close ties to Grinex, was simultaneously compromised for a smaller amount. Grinex is widely believed to be a rebrand of Garantex, a Russian crypto exchange sanctioned by the U.S. Treasury in 2022 for laundering funds tied to ransomware groups and darknet markets including Conti and Hydra. The Treasury sanctioned Grinex in August 2025 on the basis that it absorbed Garantex’s customer base and continued its role facilitating sanctions evasion, including through a ruble-backed stablecoin called A7A5. TRM Labs also linked TokenSpot to Houthi-linked laundering operations, weapons procurement, and a Russian-aligned influence operation in Moldova.

Who is affected

Russian users with funds on the Grinex platform are directly affected, with over one billion rubles in user wallets drained and no recovery timeline provided. The simultaneous compromise of TokenSpot indicates the attack extended across at least two interconnected exchanges operating within the same sanctions-evasion ecosystem.

Why CISOs should care

The Grinex incident is primarily relevant to security leaders through its sanctions and third-party risk dimensions. Grinex and its predecessor Garantex were explicitly sanctioned for facilitating payments to ransomware operators. Any organization with exposure to cryptocurrency payment flows, vendor relationships touching sanctioned entities, or operations in jurisdictions where Russian-linked exchanges remain active should understand that the financial infrastructure supporting ransomware payments is itself under active pressure from multiple directions, including state-level disruption. The unverified attribution claim also illustrates a continuing pattern of sanctioned actors framing operational failures as geopolitical attacks.

3 practical actions

1. Screen cryptocurrency payment exposure against sanctions lists: Confirm that any cryptocurrency transactions processed by or on behalf of your organization are screened against OFAC and equivalent sanctions lists, and that controls are in place to block interactions with sanctioned exchanges and their known wallet addresses.
2. Monitor ransomware payment infrastructure disruptions: Track enforcement actions and disruptions targeting exchanges linked to ransomware payment processing, as operational collapses at platforms like Grinex can affect attacker liquidity and shift extortion behaviors.
3. Flag TokenSpot and related addresses in threat intelligence feeds: Add the approximately 70 attacker addresses identified by TRM Labs and the wallets disclosed by Grinex to relevant blocklists and threat intelligence platforms used for transaction monitoring or incident response.

For more news about disruptive intrusions affecting business operations, click Cyberattack to read more.